dll issue after trojan removal

Posted on 2010-03-22
Medium Priority
Last Modified: 2012-05-09
AVG has detected and quarantined a trojan on this path - 'Trojan horse Agent2.AMFY on file pathname C:\WINDOWS\oxoyumogav.dll'

Although there does not appear to be a Trojan on my PC and all is functiong fine except every time I start the PC I get the following error

error loading C:\WINDOWS\oxoyumogav.dll
    The specified module could not be found.

Once I click OK I can use the PC with no further issues. I am running WinXP Home. I have opened the quarintine window in AVG and deleted it as well believing this might remove the error.

Any ideas?
Question by:comautok

Expert Comment

ID: 28316297
The virus and/or infections are not cleaned fully. It may affected say setup the run key in registry to run this dll that is expected to be removed but didnt. There are several ways places where the launch of this dll is setup. Worse if some legitimate dll is compromised to setup for this dll run.
But first start with simple methods , if that works.

Looks in the registry specially in Run RunAs and RunOnce keys, whethere it is setup to run this dll, if so remove it.
You can look using msconfig to see if it is setup under startup tab and other tabs.
Also check up your startup folder is some batch file or anything suspecious is there, that need to be removed.

Check whether you got the same message in safe mode too, if so there are high chance of some legitimate dll is compromised, although i feel less chances of it. If not then some redundant entry is expected that just need to remove. There are tools as well that list out from all places about the startup things like exe, dll , com and bat etc. like "hijeck this"  and so on.


Accepted Solution

mkeiwua earned 2000 total points
ID: 28316362
Hi comautok,

Go to Start> Run and type msconfig.

You should see the System Configuration Utility. Click on the Startup tab and locate under the command column "C:\WINDOWS\oxoyumogav.dll".

Uncheck the checkbox next to it and save changes, reboot the machine and the offending dll should be out.

B Rgds,

LVL 11

Expert Comment

ID: 28317384

Download & install Spybot 1.6.Update that spybot & scan whole your computer.Use good & purchased antivirus.


Tushar Kaskhedikar
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.


Expert Comment

ID: 28317844

All dll in windows folder is need  for windows xp  to work good.u said its romoved by AVG. How ever you should put repair using Xp cd it will automatically restore. I think this is the best way for windows xp to work good with all suppored files.

LVL 18

Expert Comment

ID: 28323348

run ms autoruns and delete this dll

LVL 27

Expert Comment

ID: 28323479
>error loading C:\WINDOWS\oxoyumogav.dll<

Looks like the infection is still there!  Combofix can probably remove it.
Download ComboFix and save to your Desktop >

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), *before* saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix should be run in normal mode.

Should you need it>   A guide and tutorial on using ComboFix:
LVL 18

Expert Comment

ID: 28325772
My explanation:
I have seen the same Trojan. And i think AVG has removed this malware but not the autostart entries. This virus is creating dll's with different names. Everytime you start the computer oxoyumogav.dll is trying to start. But the virus is not there.

To be sure that the Trojan is really deleted. Run also ComboFix and Malwarebytes after as Jonvee told.
Later you can also run some Online Scanners:

Expert Comment

ID: 28354761
Norton 2010 run full updates and full system scan to kill off the remaining pieces of the virus.
Then insert XP CD and boot to CD, run repair and restore that DLL file using the repair facility off the CD.  HELP at the repiar function prompt will give you a list of help commands.  There is a restore command.

Author Comment

ID: 28396171
Thanks all. The PC in question won't be available again untill tomorrow so will get back about this then after trying these suggestions.

Expert Comment

ID: 28471556
You can use a utility called HiJackThis to remove the offending entry, a quick google search will find it.  If AVG quarantined the file, then as stated above the entry to run the file still exists and simply need to be removed.

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question